After an October cyberattack on CommonSpirit, one of the largest U.S. hospital networks, 20 million Americans in 21 U.S. states are still at risk of receiving substandard medical care, the Daily Mail reports. Because of the hackers’ actions, hospital staff have lost access to patients’ electronic medical records and other programs. The cyberattack has already resulted in cases of drug overdoses, emergency surgery postponements, and ambulances being diverted to other hospitals.
20 million Americans are at risk for substandard health care after a cyberattack on one of the largest U.S. hospital networks last month, the Daily Mail reported, citing security experts.
CommonSpirit Health, a system that operates 140 hospitals and more than 1,000 medical facilities, including cancer clinics, surgery centers and stroke centers, suffered a serious cyberattack with a ransomware program on Oct. 3.
The FBI, Department of Justice and CommonSpirit network executives declined to comment on the extent of the cyberattack. They also did not respond to a question about whether the problem had been resolved, despite numerous inquiries from the publication.
This means that Americans in 21 states are still at risk of receiving substandard medical care. And this is not an unsubstantiated statement: the cyberattack has already had real consequences for patients. For example, on Oct. 4, when a computer system containing patient-specific dosage information was disabled, a three-year-old boy from Iowa was accidentally given a dose of opioids many times higher than normal. Surgeries for patients with brain hemorrhages, ovarian cysts, and cancerous tumors who required urgent medical care were delayed for a month. There was also a case of an ambulance being diverted from a hospital affected by a cyberattack to a hospital that was not part of the CommonSpirit network.
Anonymous posts by social media users calling themselves employees of CommonSpirit hospitals describe patient care as “horrible and unsafe.” They report treating patients without full access to their electronic medical records.
James McGibney, a former U.S. Marine Corps cybersecurity expert, told the Daily Mail that the situation could still be “very dangerous,” especially if doctors are actually treating patients without access to medical records.
He noted, “They know they still need to treat the patient, but they act based on what the patient tells them. A lot can go wrong.”
CommonSpirit executives confirmed that a group of cybercriminals had infiltrated the hospital network’s computer system and encrypted all of its databases, including patients’ electronic medical records, making it impossible for any staff member to access them.
Usually after this step, ransomware hackers ask for money in exchange for a decryption key that allows administrators to get back into the system. Without access to patients’ electronic health records and other hospital programs, including medication dispensing systems, doctors and nurses are effectively treating patients “blind.
After the previous major cyberattack, it took more than a week for hospitals to regain access to the system. However, the consequences could be felt for a long time, as it is almost impossible to determine whether the perpetrators made any changes to the databases.
Cybersecurity expert Ken Westin says the hacker attack had a “significant” impact on patients.
He notes: “We have recorded cases where doctors have not had access to some of the information needed to provide medical care. Cases of incorrect dosages of prescribed medications. Many surgeries had to be rescheduled.”
“No fatalities have been reported so far. But if a patient has an emergency surgery and has to be rescheduled for two weeks because of an extortion incident, it could happen,” the expert told the Daily Mail.